Blackhole in 2013: What Is It Up To?

2013 has seen some significant changes in the way that attackers use the Blackhole exploit kit in spam attacks. To understand what these changes are, however, let us first go into what Blackhole did in late 2012.

Last year, the majority of URLs found in Blackhole-related phishing messages had the following format:

http://{compromised or abused site}/{eight-digit code}/index.html

For example, a spam run in November contained a link to the website at:

http://{domain #1}/Pz1Fa7u/index.html

Users were redirected by the above link to two URLs:

http://{domain #2}/9WFM1cgc/js.js

http://{domain #3}/0s3FmfEC/js.js

Both of these URLs were hosted on compromised sites. While the webhosting account of domain #2 was suspended, the redundancy of using two redirection pages allowed the attack to continue. The URL at domain #3 led to the malicious landing page, which was located at:

http://{malicious site}/links/created_danger.php

It’s not unusual for multiple redirection pages to lead to a single malicious URL. Frequently, even different spam runs will lead to the same malicious landing page.

The vast majority of URLs used in these attacks are either on compromised servers, or free webhosts whose services have been abused by cybercriminals. Both have always been used for malicious attacks, but their usage has increased significantly. These redirection pages (both on compromised and abused servers) directed users to malicious pages that contain malicious exploits which infect users (the landing pages).

These eight-digit codes look random, but they aren’t. In fact, these are used by criminals to track and monitor the progress of their campaigns, much like marketing professionals. The same code is used across multiple sites; this makes perfect sense as an attack is unlikely to be limited to only one malicious domain. Even then, we have gathered a staggering number of these: from April until the end of 2012, we identified more than 100,000 distinct tracking codes.

Why have spammers decided to focus on compromised and abused sites? The malicious emails used in Blackhole-related have content identical to legitimate emails; to properly defend against these type of attacks security solutions need to examine the URLs in these messages.

By hosting their redirection pages on “legitimate” sites, attackers make life more difficult for security vendors. The risk of false positives is increased, as vendors may mistakenly block entire websites because of a malicious redirection page they mistakenly host.

Illustrating the scale of the threat will help clarify things. In the second half of the year, we detected more than 53,000 compromised sites that were used in BHEK spam campaigns. For the same period, we identified 358 Blackhole exploit kit spam runs that contained eight-character tracking codes, which led to 284 distinct malicious landing sites. There were always more redirection sites than malicious landing pages, as seen in this graph below:

Average number of of compromised/abused sites for each malicious landing page

There are two types of sites that host these redirection pages. They can either be pages on hacked/compromised web servers, or pages on domains registered with free webhosting providers. This makes perfect sense: the risks of false positives are still elevated, and if anything costs are even lower because the sites are free.

An aside here: we report these pages to free webhosting providers as soon as we found them. Since we began this, the number of abused sites we see from some providers has gone down significantly. Also, we have never received a report from these providers that we submitted a false positive.

In 2013, what are we seeing? What we’re seeing is that Blackhole spam runs no longer use this eight-character format at all. We saw them in limited numbers for a few days in very early January, but after that, they dropped completely off the map.

What we are seeing now is four distinct flavors of URLs are in use:

A WordPress URL. These will pretend to be under the wp-content directory, where WordPress themes are stored. They will end in an HTML file, which by itself should be an indicator: WordPress themes do not contain files with a .HTML extension.

URLs with a dictionary word as the directory name. These will have a URL format something like {compromised site}/{dictionary word}/index.html. This is very similar to the earlier format, except that instead of random strings dictionary words are being used. A user would have a hard time telling whether a link is legitimate or not simply based on the URL.

URLs with a dictionary word as the file name. These will have a URL format similar to {compromised site}/{dictionary word}.html. Conceptually, this is similar to the previous example, with similar consequences for end users.

The fourth flavor isn’t even a URL. Instead, an HTML file that leads to the exploit kit directly is attached to the phishing message.

Of course, all of these URLs are part of phishing messages that use the same content as real messages, as has been used by BHEK spam runs for almost a year.

So what should users and system administrators know?

Conventional spam and phishing attacks still work, even if they don’t get the attention they used to. It’s easy for people to believe that in the days of social media and instant communication that spam and phishing doesn’t matter – but it does. It is still a highly effective tactic that can be used to deliver a wide range of attacks to end users. In addition, phishing attacks no longer need users to enter their data manually – instead, malware is able to steal the information with no user input or interaction.

Many spam and phishing best practices don’t work any more. Traditionally, best practices and tools have focused on using content to screen out malicious messages. That’s not viable anymore. Today, a majority of all malicious messages we see are of these type. In the face of this level of spam and phishing that is content-wise, identical to legitimate messages, focusing on content – many suggestions and tools does – is not a feasible solution by itself. Antispam vendors have to be able to look beyond just the content of messages in order to create feasible solutions for users; this is something that Trend Micro has been pursuing constantly for a long time.

Our findings are in line with our 2013 predictions. We noted then that not only would legitimate services be abused, but that the way threats are deployed would evolve and become more sophisticated. Both of these have been proven true this early in the year with the latest developments in this area.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: